This comment has been minimized.

This comment has been minimized.

Great tutorial it helped me a lot on getting started with the main steps. Thanks! Anyway, sorry for the newbie question, but how am I supposed to execute the commands which will combine the crt files into a bundle? I mean, Do I have to upload the crt files first to the root directory of my server and then execute the command on a terminal app? I use Mac OSX and I use the Terminal.app to ssh on my server

This comment has been minimized.

@minhhahl -- For what it's worth, that StackExchange post was right on. I combined the domain's cert, COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt into one file (leaving off AddTrustExternalCARoot.crt) and my site passed the SSL labs test.

This comment has been minimized.

My certificate zip included 4 files. I used cat to chain all 4 files together and it worked correctly - a pretty green lock in the browser address bar.cat domain.crt intermediate1.crt intermediate2.crt authority.crt > domain.chained.crt

Suggested addition to the Gist in response to @dillchuk's comment about verifying:

6. Restart nginx.

Test to see if your new configuration is valid (if test fails to go step 7)sudo service nginx configtest

If configtest passes without errors then reloadsudo service nginx reload

7. Testing your .key, .csr and chained .crt files with openssl CLI

The output of these three commands should be an identical hash. If one is different, you will see an error when running nginx configtest.

Sample outputModulus=CC9DE72...99C4564AA985E28877D

Test keyopenssl rsa -noout -modulus -in example.com.key

Test CSRopenssl req -noout -modulus -in example.com.csr

Test original crt and bundled crt separately. I find that 50% of the time I've uploaded the wrong .crt (old from same domain) and didn't realize it. The rest of the time it has either bundled the wrong files or the wrong order.openssl x509 -noout -modulus -in example_com.crtopenssl x509 -noout -modulus -in ssl-bundled.crt

This comment has been minimized.

This comment has been minimized.

Somehow I keep ending up on this page all the time, so seems it's a popular answer to the problem with Comodo certificates and nginx. Unfortunatelly, with the recent enough(2015) Qualys.com SSL test the given instructions lead either to "Chain issues: Contains anchor" or "Extra download". After a bit more digging I came down to the recipie that makes SSL test happy.

To avoid anchor error you should ommit Root CA certificate from the bundle. So, bundle should contain:

If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

This comment has been minimized.

The ca-bundle file contains concatenated intermediate certificates in x509 PEM format. The p7b seems to contain the same information in the PKCS#7 format, but I couldn't read it with openssl pkcs7 -in command, so it seems to be supported by Windows only and in general is necessary for IIS/Tomcat.

As it was said above, you can get separate intermediate certificates from:

This comment has been minimized.

This comment has been minimized.

it looks like this guide is to install new cert, I am looking for a guide to renew existing cert which are going to expire. My stack is rails application with nginx + passenger, postgresql db and sidekiq job handlers if they matter.

This comment has been minimized.

Thanx a lot, just for the record if you happen to face the following errornginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl...
make sure that certificates are not sticked together like this-----END CERTIFICATE----------BEGIN CERTIFICATE-----
nginx can't read this. they should be separated with \r\n (enter).

This comment has been minimized.

Possibly The Best toot online. Helped me solve problem with SSL, Comodo cert, and Stripe -- specifically this error: "SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)" -- odd how comodo, stripe either do not have this info or bury it such that it is useless.